The decentralized lending protocol zkLend was hacked on February 12, resulting in a loss of $9 million. The protocol offered a 10% bounty to the attacker, stating that if the remaining funds are returned by February 14, all legal liability will be waived.
Table of Contents
TogglezkLend Hacked for $9 Million, Attacker Funds Laundered Through Railgun
According to the blockchain security team SlowMist, the lending project zkLend on the Starknet chain was attacked, resulting in a loss of $9 million.
🚨SlowMist Security Alert🚨
The lending project @zkLend on the Starknet chain was attacked today, with more than $9 million in assets lost!
The SlowMist security team found that the core reason for this attack lies in the safeMath library adopted by the market contract. When… https://t.co/YmvzVXxmiD pic.twitter.com/S3P73E4uxu
— SlowMist (@SlowMist_Team) February 12, 2025
The core reason for this attack was the use of direct division in the safeMath library of the market contract, which led to a rounding-down vulnerability in the calculation of the number of zTokens to be burned during withdrawal operations. The attacker may have exploited this vulnerability to illegally obtain profits.
The team advised users to closely monitor their assets on zkLend and temporarily suspend deposit-related operations to avoid potential losses.
Subsequently, another security company, Cyvers, also reported that the attacker had transferred the stolen funds to the Ethereum blockchain and used the privacy service Railgun to launder the money. However, due to Railgun's protocol policy, these funds were ultimately returned to the original addresses.
(What is RAILGUN? Privacy Pools: A New Approach to Innocent Proof)
zkLend Offers 10% Bounty to Hacker
After the attack, zkLend immediately issued an announcement offering a 10% bounty to the hacker in exchange for the return of the remaining funds by February 14, stating that all legal liability will be waived:
We know you are the mastermind behind the attack on zkLend today. You can keep 10% of the funds as a white hat hacker reward, and return the remaining 90%, which is approximately 3,300 ETH.
Additionally, zkLend stated that they have cooperated with security companies and law enforcement agencies, and if there is no response within 14 days, they will take further action to investigate and prosecute the attacker.
Affected Users Criticize Team for Allowing Fund Outflow
In response, affected user 0xYANGZAI expressed dissatisfaction with the StarkNet team's inaction on social media platform X, questioning whether there was internal involvement:
12 hours after the theft, they still allowed the outflow of 1,800 ETH from the L2 to L1 cross-chain bridge, which makes one suspect insider involvement.
He stated that he plans to file a police report in Hong Kong this week and call on other victims to take action, while also urging investigations into the DEXes and CEXes that have interacted with the hacker's addresses.
Crypto Hacks Remain Rampant
According to Chainalysis' 2024 Security Incident Report, the value of stolen funds grew by about 21% year-over-year, reaching $2.2 billion. While the majority of stolen funds came from DeFi services, the primary targets in the second and third quarters were centralized services.
In 2024, private key leaks were the main cause of cryptocurrency theft (43.8%), with much of it seemingly related to the rampant activities of North Korean hackers, who have infiltrated many crypto companies and disrupted their networks.
It is reported that the amount stolen by North Korean hackers from various crypto projects has reached a new historical high of $1.34 billion, accounting for 61% of the total stolen funds for the year.
As cryptocurrency security issues become increasingly severe, the importance of self-security awareness and prevention measures is particularly crucial.
Risk Warning
Cryptocurrency investment carries a high degree of risk, and its price may fluctuate dramatically. You may lose your entire principal. Please carefully evaluate the risks.
